CompTIA CASP+ (CAS-004) — Question 631

A DNS forward lookup zone named comptia.org must:

• Ensure the DNS is protected from on-path attacks.
• Ensure zone transfers use mutual authentication and are authenticated and negotiated.

Which of the following should the security architect configure to meet these requirements? (Choose two.)

Answer options

• A. Public keys
• B. Conditional forwarders
• C. Root hints
• D. DNSSEC
• E. CNAME records
• F. SRV records

Correct answer: A, D

Explanation

The correct answers are A and D. Public keys are essential for establishing secure communications and mutual authentication during zone transfers, while DNSSEC provides integrity and authenticity for DNS data, protecting against on-path attacks. The other options do not provide the necessary security features required for the specified tasks.